Event Analyst

More info

Simplifies Event Log Reporting, Correlation, and Auditing

Event Analyst is a tool for reporting on event log data, filtering log entries, and examining log files.  Its special event log "windowing" technology enables administrators to examine different cross sections of event log records from multiple sources simultaneously without sacrificing speed.  Event Analyst's highly intuitive interface allows the administrator to seek quickly through the logs, jumping to specific dates or rapidly scrolling through the logs chronologically.  

Even with hundreds of thousands of entries, administrators can now pinpoint the specific network events of concern.  Event Analyst provides room for local storage of frequently sought after events and event filters, allowing administrators to file away definitions for commonly examined events.  After being stored, network administrators can summon the same filters as needed to quickly zero in on events of interest.  In fact, Event Analyst ships with many predefined filters that are of immediate use to almost every network administrator.

Event Analyst works with a wide-variety of event log data formats.  It can view, filter, convert between, and report on saved EVT log files, comma-delimited text files, and EVT log information from active computers.  

In Event Analyst 6 and later, Dorian's exclusive LogRefiner ™ technology can help you in the migration from the log formats of earlier operating system versions to the newer EVTX format included in Windows Vista ™ and Windows Server ® 2008.  Be sure to read more on this groundbreaking technology.

Providing even more flexibility for log data management strategies, event logs stored by Event Archiver ® or Event Alarm ® in Microsoft Access, Microsoft SQL Server, or Oracle database tables can be analysed by Event Analyst.

Once filtered, network professionals can generate reports based on pre-designed modules or user-customised ones.  Event Analyst's clear and printer-friendly HTML and CSV reports prove invaluable for explaining network phenomena to managers and compliance officers, as well as providing security information to law enforcement agencies.

To save the administrator even more time, Event Analyst's prepackaged report modules can be scheduled using the Event Analyst Service.  Scheduling a report is as easy as choosing a scheduled time and day, the source of the log records, a filter, and output folder.  Reports may even be emailed automatically to a list of specified recipients.

Imagine coming into the office each morning and having the reports you need waiting for you and anyone else who has requested it.  Why drop everything again to deal with another report request from an auditor or supervisor?  Why not let this Monday morning be the first that Event Analyst prepare those reports automatically for you?

Features

When used in conjunction with Dorian Software's Event Archiver ® or Event Alarm ® software, Event Analyst is one component of the patented Total Event Log Management Solution for monitoring, collecting, consolidating, and auditing event logs and syslogs.  And, just as our other SEM (security event management) solutions work independently, Event Analyst alone can prove to be a powerful tool for your organisation.

Event Analyst 6 and later includes:

• Four New Pre-Built Reports Now Available - Visit our sample reports page for more.  

• New Advanced Filter Features
  
  

  • Additional Relative Date Ranges - In the past, administrators could create advanced filters that returned log data a given number of days from the time the filter or report was actually executed.  Now, administrators can create advanced filters that return log data a given number of days from the day prior to when the filter or report is run (e.g.  from 12:00:00AM to 11:59:59PM), providing them with a clearer data boundary for scheduled report generation.
  • Quick Event ID Lookup - When building Advanced Filters that target one or more Event IDs, administrators can now multi-select them from the Friendly Event ID Manager, making it much easier to find the exact Event IDs that should be targeted.
  • Quick Computer Lookup - When building Advanced Filters that target one or more computers, administrators can now select them directly from a domain controller, browse list, OU, or custom domain listing.
  
  
  

• LogRefiner Technology for EVTX Log Format Compatibility - Find out more about this exclusive technology available only from Dorian Software.  

• Log Entry Viewer - The recent history of Event Analyst's scheduled report operations are now simply a menu click away.  In addition, administrators can filter the entries by type - information, warning, or error messages, for example - and then export them to HTML if necessary.

• Custom Domain Creation - As networks grow and merge, domain and workgroup structures expand in size and complexity.  Event Analyst 6 tackles this problem by allowing network administrators to create "custom domains" - logical groups of related computers.

  For example, delegation of administration may require that an administrator manage specific servers in three different organisational units of a larger domain.  Using Event Analyst, she can now map these individual computer names to a custom domain.  Then, she can easily reference that custom domain whenever she needs to summon one of the computers' logs for analysis or reporting.

• Scheduled Report "Test" Feature - Now, after administrators create scheduled reports, they can immediately test them with a click of the button to see if they produce the results desired.  Additionally, if reports must be run again, this feature reduces workload for the administrator.  

• Pre-Built Report Summary Exporter - Event Analyst 6 supports the export of all pre-built report titles and what those reports target, making it easy for administrators to share this information with compliance or security officers.  

.  .  .  all this in addition to existing features that have made Event Analyst an industry standard for event log and security log reporting:

• Ships With Many Commonly Requested Reports - We've focused on providing the most commonly requested reports for you already.  Find out more on our sample reports page.  

• New Comma-Delimited (CSV) Reporting - Generate reports in both HTML and CSV formats.  For administrators or compliance officers who need to document examples of audited activity, the CSV format is especially useful, as it can be manipulated directly in spreadsheet software.  

• Direct Reporting - Users can still open up a log source in one of Event Analyst's log viewing windows before generating a report.  Or, users can select a log source and immediately generate a report against it, bypassing the need to examine the data directly first.  For those desiring immediate report generation, this feature saves significant time.

• Custom Report Designer - Better visualize the grouping and sort order of your layouts with a grid-style editor.  You can immediately test your layout against sample data after you create it.

• Friendly Event ID Definitions for Custom Reports - The Friendly Event ID Manager allows the creation of special definitions for specific event identifiers (Event IDs) that correspond to event sources in certain log types.  The Friendly Event ID Manager ships with over 100 definitions already in place, with almost the entire range of security log events predefined for user convenience.  When custom reports are prepared, if a friendly definition exists for a specific Event ID, Event Analyst automatically places the definition alongside the number for better report readability.  

• Condensed Versions of Selected Reports - In direct response to the requests of our clients, Dorian Software has created condensed versions of certain reports.  Find out more on our sample reports page.&.  

• Optimised Report Generation - Although, of course, results vary based on a number of network-specific variables, Event Analyst's reports and custom reports are engineered for the fastest possible generation.  For scheduled reports that must process large volumes of data, this optimisation is a critical time-saver.  

• Report Link Emailing - To minimize potential issues with reports as attachments, Event Analyst can send links to reports via a UNC share path.  When enabled, the default scheduled reports folder in Event Analyst is shared, and emails contain a reference to the report files in that share.  However, users can select other UNC paths for report creation and linking as desired.

• Filter Name Inclusion in Report Filenames - To better distinguish between scheduled reports of the same type, Event Analyst can be configured to automatically append the filter name used when generating the report to the filename.

• True Organisational Unit Support - Larger domains with administrative control distributed among different OUs in Active Directory can configure Event Analyst to work within an OU and its children.  The Event Analyst Service account can be configured to run as an OU Admin (with local administrative control over computers in the OU), and administrators can limit the computer accounts retrieved by Event Analyst in various operations to a specific OU, as opposed to the entire domain.

• Faster Analysis and Reporting With Local Backups of Active Event Logs - In many cases, working with a local backup copy of an event log can speed analysis and reporting.  Therefore, when opening an active event log on a network computer for analysis, Event Analyst now provides the option to make a backup copy of the event log or transfer it to the machine running Event Analyst for analysis.

• Automatic Opening of Zipped EVT Files - Automatically uncompress and open archived EVT files that were compressed by Event Archiver – Dorian Software’s companion log collection tool.

• Advanced Filter Cloning - A cloning feature for rapid duplication of filters is included to help in defining multiple advanced filters with similar characteristics.

• Single-Click Report Scheduling - With a single menu click or button press, an administrator can schedule a report against the log source he or she is viewing inside Event Analyst.  All characteristics of the log source, including computer names, database links, filters, etc are transferred into the report scheduling dialog automatically.  All the administrator must do is choose the report desired and the schedule when it is generated, greatly reducing the potential for error.

• Compression for Emailed Reports - Report files can now automatically be compressed before being sent by email.  This is good for minimising network traffic demands or for accommodating strict email policies.

• Advanced Emailing Options - Scheduled reports set for automated email have additional customisable settings.  Administrators can specify the sender address Event Analyst uses when relaying mail through an SMTP server, in order to meet internal SMTP security standards.  Additionally, administrators can craft a custom email subject line to help them differentiate between similar reports that come from different log sources.

• Charts Included in Many Reports - Easy to read charts allow for quick review of problem areas and issues before digesting the more detailed, tabular information that follows.  And, charting can be enabled/disabled globally when desired.

• Cloning Scheduled Reports - Event Analyst supports convenient cloning of scheduled reports.  Users can quickly use a previously scheduled report as a template for a new report if only a few minor details need to be changed.

• Commonly Used Filters - Even more filters - many of them Windows 2003 specific - have been added to Event Analyst's Basic Filter database for convenience and quick recall.  In addition, several Advanced Filters have been pre-defined to search for certain types of commonly sought-after security activity.

• Faster Reporting Through Auto-Configuration of Event Archiver Database Tables - For faster reporting, Event Analyst can automatically index and configure tables when connected to an Event Archiver database in Microsoft Access or Microsoft SQL.  

Simple Viewing of Log Sources - Through an easy-to-use inventory of database and table links, finding and managing log database sources is simple.  

• Oracle Database Support - Tables that you create for Oracle 9i with Event Archiver can be managed with native support in Event Analyst.

• Customisation Capability and Ready-to-Use Filters - Mine for data using custom sorting to focus only on the data you need.

• Event Log Entry Research Capability - Utilising the Event Research Window and by way of www.eventlogs.com, users can research and decipher event log files and get recommendations for related Event Analyst Summary Reports.

Sample Reports

Event Analyst ships with many commonly-used reports - most designed specifically because of customer demand.  If you face regulatory compliance or internal compliance standards, be sure to share this page with your compliance specialists.  And, don't forget that if your specific report is not already provided, Event Analyst ships with a custom report designer.

If you do have a need for a report not currently shipping with Event Analyst, please email info {at} pnltools.com and let us know about it.  

In direct response to the requests of customers, Dorian Software has created condensed versions of these reports:

• Logon Failures - Active Directory (Kerberos)
• Logon Failures - Local Workstations and Servers
• Successful Logons - Workstations and Servers

These condensed reports are useful to all organisations, but are especially useful to larger organisations with great volumes of auditing data.  Since they present tallies of logon information by user, they reduce the size of the report, and compensate for excessive logon audits generated by malfunctioning service accounts and network utility software.  In addition to the condensed versions of the reports, the detailed versions remain available to track all logon activity for certain users or all users.  

Reports for tracking file and folder access and deletion "condense" successful and failed attempts by users to access objects, and an object deletion activity report that performs automatic event correlation.

Also among the available Event Analyst reports are these more recent additions:

• Password Change Attempts By Users
• Password Reset Attempts By Administrators or Account Operators
• Successful Network Logons - Workstations and Servers (Condensed)
• Successful Network Logons - Workstations and Servers (Detailed)
• Computer Account Management - Tracks the addition, removal, and modification of computer accounts within your domain, and shows the user responsible for the action.
• Unexpected Shutdown Tracker - Displays the reasons given by administrators and server operators for unexpected shutdowns on Windows 2003 servers.  

Sample Screenshots

Directory Service Access Attempts - Successes
[Screenshot 1] [Screenshot 2]
This report tracks all successful Active Directory object access attempts.  Access attempts are sorted by user and the type of object being accessed.  Use this report to determine who is making changes to specific Active Directory objects.

Directory Service Access Attempts - Failures
[Screenshot 1] [Screenshot 2]
This report tracks all failed Active Directory object access attempts.  Access attempts are sorted by user and the type of object being accessed.  Use this report to track unauthorised access attempts to objects stored in your Active Directory.

Error and Warning Activity
[Screenshot 1] [Screenshot 2] [Screenshot 3]

This report displays all sources which have registered error or warning events inside the event log.  Use the report to identify certain applications or system hardware which may not be functioning correctly.  

Event Activity By Source Name
[Screenshot 1]
Use this report to see tallies of event types (e.g.  warnings, information events) for all source names represented in the event log data you selected.  This can be useful in pinpointing log sources which are raising abnormally large amounts of events, etc.  

Failed Object Access Attempts
[Screenshot 1] [Screenshot 2] [Screenshot 3]
This report displays failed object access attempts, sorted by user and by the type of object being accessed.  Furthermore, the report indicates whether or not an attempt to open the object was made locally, or over the network.  Use this report to determine when users are attempting to access resources they do not have permission to use (open).  

Filtered Event Frequency Within a 24-Hour Window
[Screenshot 1] [Screenshot 2] [Screenshot 3]
This report, given a filtered event log source, calculates the number of events found during each hour of a 24-hour daily window.  Therefore, you can use this report to track how frequenly particular activities occur during different times of the day, such as logon attempts, etc.

Group Management
[Screenshot 1] [Screenshot 2] [Screenshot 3] [Screenshot 4]
The group management report tracks group creation, deletion, and general group modifications (other than membership changes).  For convenience, group management actions are sorted by the administrator account modifying the group, the group account being modified, and the type of action performed.  In addition, the report is also sorted by the scope of group affected (e.g.  local, global, and universal).

Group Membership Activity
[Screenshot 1] [Screenshot 2] [Screenshot 3] [Screenshot 4] [Screenshot 5]
This report tracks changes to group membership over time.  Use this report to quickly determine what groups have had their memberships modified, and the administrator account responsible for changing the membership.

Logging Verboseness by Source
[Screenshot 1] [Screenshot 2]
This report calculates the average number of events generated per hour by sources present in the event log.  Use this information to determine which sources are responsible for the majority of event log entries.  If configurable, you may want to reduce how verbose these applications or subsystems are in regards to event logging.  

Logon Failures - Active Directory (Kerberos)
[Screenshot 1] [Screenshot 2] [Screenshot 3] [Screenshot 4]
This report tracks Kerberos logon failures of domain accounts that are recorded on Active Directory servers.  Use the Logon Failures - Local Logons on Workstations and Servers report to track local logon failures that occur on individual workstations and servers.

Logon Failures - Local Logons on Workstations and Servers
[Screenshot 1] [Screenshot 2] [Screenshot 3] [Screenshot 4]
This report quickly summarizes all failed local logons (e.g.  Interactive, Terminal Server, Service Account, IIS) in a given event log source.  Use this report to determine unauthorised access attempts or other violations of logon policy.  Failures are sorted both by the offending user account, and by the type of logon failure.  To track account logon failures (e.g.  Kerberos) on Windows 2000 and 2003 domain controllers, use the Logon Failures - Active Directory (Kerberos) report.

Object Access Attempts - Failures
[Screenshot 1] [Screenshot 2] [Screenshot 3]
This report displays failed object access attempts, sorted by user and by the type of object being accessed.  Furthermore, the report indicates whether or not an attempt to open the object was made locally, or over the network.  Use this report to determine when users are attempting to access resources they do not have permission to use (open).

Object Access Attempts - Successes
[Screenshot 1] [Screenshot 2]
This report displays successful object access attempts, sorted by user and by the type of object being accessed.  Furthermore, the report indicates whether or not an attempt to open the object was made locally, or over the network.  Use this report to determine who is making changes to files, folder, and registry entries.

Printer Activity
[Screenshot 1] [Screenshot 2] [Screenshot 3]
This report reviews all print job events in a system log source, and tallies print resources used by individual users, over all printers and on individual printers.

Process (Program) Usage
[Screenshot 1] [Screenshot 2] [Screenshot 3]
Use this report to determine how often users execute certain programs.

Shutdown and Restart Activity Tracker
[Screenshot 1] [Screenshot 2] [Screenshot 3]
Use this report to view shutdown and restart activity on Windows 2003 Servers and Windows XP Workstations with the Shutdown Tracker enabled.

Successful Logons - Workstations and Servers
[Screenshot 1] [Screenshot 2]
This report quickly summarizes all successful non-Kerberos logons on a workstation or server.  Use this report to determine when users logon to local and network systems.  Logons are sorted both by the user account name, as well as the computer where the logon occurred.

System Uptime Approximation
[Screenshot 1] [Screenshot 2]
This report is designed to display an uptime approximation for one or more computers, given a system event log source.  Because event log activity is not constant, this report should be viewed as a useful approximation of server reliability, but not an absolute calculation of uptime percentages.

Top 10 Most Frequently Occurring Events
[Screenshot 1] [Screenshot 2] [Screenshot 3]
This report displays the top 10 most frequently occurring events from a given event log source, ordered from most frequent to least frequent with percentages.  Use this report to identify trends like network utilisation, hardware errors, or security problems.  Although an example event is displayed for each of the most frequent entries, the actual description can vary due to different parameters.  

User Account Lockouts
[Screenshot 1] [Screenshot 2] [Screenshot 3]
Use this report to track when user accounts are locked out due to logon failures and violations of logon policy.  You can use this report to track local and domain user lockouts.

User Account Management
[Screenshot 1] [Screenshot 2] [Screenshot 3]
This report tracks all user account management activities, such as account creation, deletion, and modification.  Furthermore, modified accounts are sorted by account name, the administrator account managing the user, and the type of management performed.

User Activity
[Screenshot 1]

User Activity in Auditing Categories
[Screenshot]
This report quickly tallies of user activity in all auditing categories, so you can quickly see if there is atypical activity occurring on the network or on certain computers (e.g.  many failed logons, etc).

User Sessions (Total Logon Times)
[Screenshot 1] [Screenshot 2] [Screenshot 3]
This report tracks interactive user and Terminal Services user logons and logoffs, determining the time of each user's session on the computer.  NOTE: In certain circumstances, unclosed process handles can prevent corresponding logoff events from being generated in the Security log.  Therefore, some session times may be approximated if a logoff event cannot be found.

LogRefiner

LogRefiner ™ Technology May Prove Critical To Maintaining Your Log Management Strategy

There are a number of complications associated with existing log strategies - usually designed only for the soon-to-be "legacy" EVT format - and the log data being generated by Windows Vista ™ and upcoming versions of Windows Server ® via the new EVTX format.  

But, Dorian's exclusive LogRefiner technology enables you to move to the EVTX format at your speed and on your terms.  Many compliance standards require that log data be maintained for a period of years.  Therefore, in most - if not all - cases, maintaining EVTX and EVT formats alongside each other will be necessary at least for some time after IT organisations begin to adopt the new format.  

Be wary of log products on the market that require management of logs in one but not both formats.  Also, be wary of proprietary back end databases.  Both of these factors will not only further complicate migration matters for you in the future, they will likely cause serious disruptions in your log management strategy.  If your organisation's compliance efforts rely on log management - as many do - such a disruption can not be afforded.

Whether or not your organisation plans on adopting the new format, why not be ready for it anyway?  Capabilities powered by LogRefiner technology that appear in Event Analyst 6.0 and later include:

Downlevel EVT File Processing in Windows Vista

Dorian's exclusive LogRefiner technology can read, filter, and report on EVT files from downlevel systems directly alongside the EVTX files from Windows Vista and newer operating systems.

With Event Analyst's exclusive new technology, no information goes missing when converting downlevel EVT files into new formats – all event log fields are processed properly the first time.

Streamlined Fields Between EVT and EVTX Logs

Did you know that Windows Vista’s EVTX logs have even more fields?  Event Analyst can now be instructed to automatically consolidate these fields - the Keyword and Opcode fields specifically - into the Task (Category) field so that you can have a uniform field structure when working with EVT and EVTX log files.

Field Consistency Across Logs

In the Windows Vista Security Log, no information about the user performing the action or affected by the action is recorded in the User field when an event is logged.  Instead, all user information is placed in the Description of the event.

Event Analyst 6.0 and later, however, has the ability to place the most relevant user information back into the User field as it reads and processes EVTX files.  By helping maintain the consistency of log data and its formatting, this feature greatly aids the administrator or compliance officer in charge of reviewing the consolidated data.

Success Audits Versus Failure Audits Defined

Another major change in the Windows Vista security log is that all events are recorded as “Informational.” To discern whether or not the event represents a failed or successful action, the administrator must refer to the Keyword of the event.

But, Event Analyst 6.0 and later - when working with security EVTX Files - has the ability to properly record whether or not the event was a Success Audit or Failure Audit, greatly aiding the reviewer of log data generated from both EVT and EVTX log files.